ScreenShot
Created | 2023.09.18 16:39 | Machine | s1_win7_x6403 |
Filename | rockss.exe | ||
Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 48 detected (AIDetectMalware, Fabookie, Razy, GenericRXTF, Save, malicious, Lazy, Eldorado, Attribute, HighConfidence, high confidence, score, Lzfl, moderate, Tnega, 10AFFS0, Redline, ASAO, Detected, R497632, BScope, Nitol, ai score=85, unsafe, Genetic, AMADEY, YXDIRZ, DcRat, BNER4NzZWDL, Static AI, Suspicious PE, susgen, Tiny, ZexaF, @tW@aGbz1sli, confidence, 100%) | ||
md5 | b32d5a382373d7df0c1fec9f15f0724a | ||
sha256 | 010fe481ba6275ebbf71e102e66d73f5d819252f2b4b1893d2acf53c04f4200f | ||
ssdeep | 98304:1baEG/yFFxGJ2sdlCVRdjvIp+CF0GYI8opL4wnZ8Hs:1rG/wGosdmpQI0YIp4NM | ||
imphash | a9c887a4f18a3fede2cc29ceea138ed3 | ||
impfuzzy | 6:HMJqX0umyRwXJxSBS0H5sD4sIWDLb4iPEcn:sJqpRSY58PLPXn |
Network IP location
Signature (16cnts)
Level | Description |
---|---|
danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
danger | Executed a process and injected code into it |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Detects Avast Antivirus through the presence of a library |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Creates executable files on the filesystem |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | One or more potentially interesting buffers were extracted |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
Rules (16cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | IsPE64 | (no description) | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x8a4880 malloc
0x8a4884 memset
0x8a4888 strcmp
0x8a488c strcpy
0x8a4890 getenv
0x8a4894 sprintf
0x8a4898 fopen
0x8a489c fwrite
0x8a48a0 fclose
0x8a48a4 __argc
0x8a48a8 __argv
0x8a48ac _environ
0x8a48b0 _XcptFilter
0x8a48b4 __set_app_type
0x8a48b8 _controlfp
0x8a48bc __getmainargs
0x8a48c0 exit
shell32.dll
0x8a48c8 ShellExecuteA
kernel32.dll
0x8a48d0 SetUnhandledExceptionFilter
EAT(Export Address Table) is none
msvcrt.dll
0x8a4880 malloc
0x8a4884 memset
0x8a4888 strcmp
0x8a488c strcpy
0x8a4890 getenv
0x8a4894 sprintf
0x8a4898 fopen
0x8a489c fwrite
0x8a48a0 fclose
0x8a48a4 __argc
0x8a48a8 __argv
0x8a48ac _environ
0x8a48b0 _XcptFilter
0x8a48b4 __set_app_type
0x8a48b8 _controlfp
0x8a48bc __getmainargs
0x8a48c0 exit
shell32.dll
0x8a48c8 ShellExecuteA
kernel32.dll
0x8a48d0 SetUnhandledExceptionFilter
EAT(Export Address Table) is none